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OIG 



The Department of the Treasury 
Office of Inspector General 



Audit 
Report 



March 25, 2014 

Jennifer Shasky Calvery, Director 
Financial Crimes Enforcement Network 

The Financial Crimes Enforcement Network (FinCEN) administers 
the Bank Secrecy Act (BSA), which established the framework to 
combat criminal use of the financial system. BSA requires financial 
institutions to report certain financial transactions made by their 
customers. FinCEN oversees the management, processing, storage, 
and dissemination of BSA data. In November 2006, FinCEN began 
a system development effort, the BSA Information Technology 
Modernization Program (BSA IT Mod), to improve the collection, 
analysis, and sharing of BSA data. The intent of the effort was, 
among other things, to transition BSA data from the Internal 
Revenue Service (IRS) to FinCEN. BSA IT Mod is estimated to cost 
$120 million and is to be completed in 2014. 

Pursuant to a Congressional directive, we conducted the fifth in a 
series of audits of FinCEN's BSA IT Mod. 1 Consistent with the 
Congressional directive, the objectives of the audit were to 
determine if FinCEN is (1) meeting cost, schedule, and performance 
benchmarks for the program and (2) providing appropriate oversight 
of contractors. We also assessed any deviations from FinCEN's 
plan. The period covered by this audit was July through December 



1 House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including contractor 
oversight and progress regarding budget and schedule, semiannually. Our prior four reports issued 
under this directive are: FinCEN's BSA IT Modernization Program Is on Schedule and Within Cost But 
Requires Continued Attention to Ensure Successful Completion (OIG-1 2-047; Mar. 26, 2012); 
FinCEN's BSA IT Modernization Program Is Meeting Milestones, But Oversight Remains Crucial 
(OIG-1 2-077; Sep. 27, 2012); FinCEN's BSA IT Modernization Program Met Milestones with Schedule 
Extensions (OIG-1 3-036; Mar. 28, 2013); and FinCEN's BSA IT Modernization Program Was within 
Budget and on Schedule But Users Suggest Enhancements (OIG-1 3-053; Sep. 25, 201 3). 
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2013. We interviewed FinCEN program officials, Treasury's Office 
of Chief Information Officer (OCIO) officials, and representatives 
from Deloitte Consulting, LLP (Deloitte), and MITRE Corporation 
(MITRE), the contractors involved with the program. 2 We also 
reviewed applicable program documentation. We performed our 
fieldwork from November 2013 through January 2014. Appendix 1 
provides a more detailed description of our audit objectives, scope, 
and methodology. Appendix 2 provides additional background 
information on BSA IT Mod, including its component projects. 

In September 2013, we reported on FinCEN's BSA IT Mod as of 
June 201 3. 3 We found that BSA IT Mod was within budgeted 
costs and that all planned milestones were completed except one, 
the Broker Information Exchange project. 4 The schedule for this 
milestone, the last one for BSA IT Mod, was modified to 
incorporate phases and adjusted from April 2013 to April 2014 
because of a reorganization of FinCEN that required additional time 
to define the project's requirements and align with the new 
organization areas and priorities. Additionally, we reported that 
FinCEN Query users from law enforcement and regulatory agencies 
we interviewed were generally satisfied with the system, but 
expressed some limitations and suggested enhancements. 5 FinCEN 
analysts we interviewed told us that Advanced Analytics met their 



2 FinCEN contracted with Deloitte to oversee the systems development and integration effort. Deloitte 
was the prime contractor in the BSA IT Mod effort. FinCEN also engaged MITRE as a subject matter 
expert on program and project management and BSA IT Mod business capabilities. MITRE is a not-for- 
profit organization chartered to work in the public interest with expertise in systems engineering, 
information technology, operational concepts, and enterprise modernization. See appendix 2 for 
additional detail about FinCEN's BSA IT Mod contracts. 

3 FinCEN's BSA IT Modernization Program Was within Budget and on Schedule But Users Suggest 
Enhancements (OIG-1 3-053; Sep. 25, 2013). 

4 The Broker Information Exchange project is to provide a mechanism to share case information for both 
internal and external users. It also is to allow (a) law enforcement agencies to submit requests 
through FinCEN to financial institutions for information about financial accounts and transactions of 
persons or businesses that may be involved in terrorism or money laundering and (b) financial 
institutions to share information with one another through FinCEN to identify and report suspicious 
money laundering or terrorist activities to the federal government. 

5 FinCEN Query is used by FinCEN internal users and by registered external users to retrieve and 
analyze BSA data. 
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needs though it was somewhat complex; the analysts also stated 
that additional training would be beneficial. 6 

In addition, we reported that BSA IT Mod had progressed from the 
development phase to the operations and maintenance phase and 
that there was a continued risk to the remaining project 
development work with the program's high-level of dependency 
between its component projects. Another risk we identified was 
that users' needs differed and that FinCEN should consider, 
prioritize, and accommodate those differences. We cautioned that 
FinCEN's continued attention will be necessary as FinCEN Query 
and Advanced Analytics users become more familiar with the 
system and may request changes, enhancements, and support. 

Results in Brief 

As of December 2013, we found that BSA IT Mod remained within 
budgeted costs and was on schedule to be completed by April 1, 
2014. During the audit period, FinCEN completed the first phase of 
Release 2 of the Broker Information Exchange, the final milestone 
project, within budget but 7 weeks beyond the planned schedule. 
We do not consider this delay as significant. 

FinCEN conducted performance testing of BSA IT Mod for the first 
phase of Release 2 of the Broker Information Exchange and system 
releases completed as part of operations and maintenance. 7 FinCEN 
also completed its first user survey on FinCEN Portal 8 and FinCEN 
Query, which will be used as a baseline for future customer 
satisfaction surveys. 9 Survey respondents indicated that accessing 
BSA data and developing queries was somewhat cumbersome and 
complex. Users also expressed the need for additional training and 
enhancements. 



6 Advanced Analytics provides complex search and retrieval functionality such as statistical analyses for 
FinCEN internal users to support their analytical, law enforcement, and regulatory activities. 

7 In the operations and maintenance phase, FinCEN manages the BSA IT Mod as one complete system; 
this includes prioritizing and resolving defects and change requests in common combined releases. 

8 Law enforcement and regulators access BSA data by logging through FinCEN Portal and then 
accessing FinCEN Query. 

9 2013 FinCEN Portal and FinCEN Query Performance Measure Survey FY 2013 (Sep. 201 3). 
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In our previous audit, users told us that there was no mechanism 
to allow agency BSA IT Mod administrators to monitor staff use of 
FinCEN Query or to limit access to particular features to detect 
potential misuse and help ensure that BSA data is safeguarded. 
During this audit, FinCEN agreed to provide one user agency with 
logs detailing its employees' use of FinCEN Query. 10 FinCEN has 
acknowledged its responsibility to monitor usage of FinCEN Query, 
and has begun to develop its own inspection program to monitor 
potential misuse. 

In our September 2013 report, we reported that FinCEN maintained 
oversight of BSA IT Mod and that MITRE and Deloitte were 
providing less support to FinCEN's BSA IT Mod program 
management as the development effort moved into operations and 
maintenance. We also found Treasury OCIO's monitoring of the 
program was appropriate based on the overall positive track record 
by FinCEN managing the BSA IT Mod development effort. During 
our current audit, FinCEN's oversight responsibilities increased by 
providing more direction and oversight of the integration across the 
various contracts as contractors transitioned away from providing 
development program support. 11 No change occurred in the level of 
program oversight by Treasury OCIO. 

We are recommending that FinCEN (1) continue to work with users 
to address user requests for training and enhancements and 
(2) make agencies aware of the process for contacting FinCEN if 
misuse of BSA data is suspected. 

In its management response, which is provided in appendix 4, 
FinCEN concurred with our recommendations. Its actions, both 
taken and planned, are summarized in the Recommendations 
section of this report and meet the intent of the recommendations. 
With regard to continuing to address user requests for training and 
enhancements, FinCEN uses the Data Management Council (DMC) 
as the forum to discuss the business impacts of system issues 



10 BSA IT Mod includes an audit log of user activity on the system. FinCEN officials stated that FinCEN 
is ultimately responsible for maintaining the logs and monitoring BSA IT Mod system use. 

11 During the period covered by our audit, Deloitte discontinued providing FinCEN with BSA IT Mod 
program management and operations and maintenance support as the contract for these tasks 
expired. FinCEN awarded contracts to other contractors for these services. See appendix 2 for 
additional detail. 
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raised by users. 12 FinCEN will continue to use the DMC in this 
manner as it prioritizes work efforts throughout operations and 
maintenance. With regard to making agencies aware of the process 
for contacting FinCEN if misuse of BSA data is suspected, FinCEN 
plans to present the current process for investigating potential 
misuse of data to the DMC. Additionally, FinCEN will notify each 
agency coordinator that if misuse of BSA data is suspected, the 
coordinator should contact FinCEN. 



Findings 

Finding 1 BSA IT Mod Program Remained within Budget and Mostly 

on Schedule 

As of December 2013, we found that BSA IT Mod remained within 
budgeted costs and was on schedule to be completed by April 1, 
2014. During the audit period, FinCEN completed the first phase of 
Release 2 of the Broker Information Exchange, the final milestone 
project, within budget but 7 weeks beyond the planned schedule. 
We do not consider the delay as significant. 

BSA IT Mod Kept within Budgeted Costs 

As of December 31, 2013, FinCEN reported that it spent 
approximately $105.7 million developing BSA IT Mod from its 
overall $120 million, 4-year planned budget. Not included in this 
amount was approximately $1 1 .2 million in initial program planning 
costs, which we addressed in our March 2012 report. In that 
regard, FinCEN's actual program costs incurred through December 
201 3 were approximately $ 1 1 6.9 million. A breakdown by 
category of the actual costs incurred is provided in Table 1 below. 



12 The DMC provides a forum for internal and external stakeholders to communicate their organizations' 
views to FinCEN. These members provide input on system and data-related topics including request 
for changes, data-related issues, and system defects. 
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Table 1: BSA IT Mod Costs as of December 31, 2013 (in millions) 



Category 


Amount 


Initial Planning 


$1 1 .2 


Development 


Hardware and Software 


10.3 


Contractor Services 


46.0 


Other 1 


15.4 


Operations and Maintenance 2 


27.4 


FinCEN staffing costs 3 


6.6 


Total 


$1 16.9 



Source: OIG analysis of FinCEN data. 

1 Other costs are comprised of (1 ) program management and program 
engineering performed by contractors including Deloitte and MITRE, (2) a 
contract office fee of 4 percent for the Department of the Interior's 
National Business Center Acquisition Services Directorate for contract 
support of the BSA IT Modernization Program, and (3) a management 
reserve for potential additional work to be performed within the authorized 
work scope of the contract or to accommodate rate changes for future 
work. 

2 Operations and Maintenance costs are comprised of hosting costs by the 
Treasury's Bureau of the Fiscal Service, hardware and software 
maintenance support, network support, application support, and the 
application help desk costs. 

3 Staffing costs are estimated based on FinCEN's Exhibit 300 submissions to 
the Office of Management and Budget (OMB). FinCEN does not track the 
staffing costs associated with BSA IT Mod. (Note: Required by OMB 
Circular No. A-1 1 , Preparation, Submission, and Execution of the Budget, 
the Exhibit 300 describes the justification, planning, and implementation of 
an agency's major IT investments.) 



FinCEN is funding BSA IT Mod through $1 19.9 million made 
available in its annual congressional appropriations and through 
supplemental funding from the Treasury Forfeiture Fund 
administered by the Treasury Executive Office of Asset Forfeiture 
(TEOAF). TEOAF provided funding for BSA IT Mod consistent with 
its authority to provide funds for law enforcement related 
expenditures. 13 Table 2 below identifies the program's funding 
sources by year. 



13 The Treasury Forfeiture Fund, which is the receipt account for the deposit of non-tax forfeitures 
resulting from law enforcement actions by participating Treasury and Department of Homeland 
Security agencies. The Treasury Forfeiture Fund was established under 31 U.S.C. § 9703. The Fund 
can provide money to other federal entities to accomplish specific objectives for which the recipient 
entities are authorized to spend money and toward other authorized expenses. Distributions from this 
Fund in excess of $500,000 cannot be used until the Appropriations Committees from both houses 
of Congress are notified. TEOAF submits its planned release of funds to Congress annually. Those 
submissions through fiscal year 2012 included the funding provided for the BSA IT Mod program. 
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Table 2: BSA IT Mod Funding Sources as of December 31, 2013 



(in millions) 







Treasury 




Fiscal 


Congressional 


Forfeiture 




Year 


Appropriation 


Fund 


Total 


2009 


$2.5 


$3.7 


$6.2 


2010 


18.5 


1 1 .7 


30.2 


201 1 


18.5 


1 1 .5 


30.0 


2012 


23.5 


6.5 


30.0 


2013 


23.5 


0.0 


23.5 


Total 


$86.5 


$33.4 


$1 19.9 



Source: OIG analysis of FinCEN and TEOAF documentation. 

After the planned completion of the final milestone project (the 
second phase of Release 2 of the Broker Information Exchange) in 
April 2014, FinCEN will continue to fund BSA IT Mod operation 
and maintenance through FinCEN's annual appropriation. FinCEN's 
fiscal year 2014 budget request included $23.5 million to fund the 
program's operation and maintenance. 14 

BSA IT Mod Remained on Schedule But the First Phase of Final 
Milestone Project Was Delayed 

As of December 31, 2013, BSA IT Mod remained on schedule and 
is to be completed by April 1, 2014, with the planned completion 
of the final milestone project - the second phase of Release 2 of 
the Broker Information Exchange. Appendix 3 provides the status 
of BSA IT Mod by project. 

During the audit period, FinCEN completed the first phase of 
Release 2 of the Broker Information Exchange within budgeted 
costs but 7 weeks beyond the planned schedule. FinCEN program 
management officials told us that additional time was required to 
finalize the project requirements and resolve software integration 
issues encountered during development and testing. 15 



14 FinCEN's fiscal year 201 4 budget request was $1 03.9 million. Congress appropriated $112 million to 
FinCEN in the Consolidated Appropriations Act, 2014 (Public Law 1 13-76). 

15 The term software integration refers to the process that ensures software works together correctly; 
integration issues between Microsoft and Oracle software platforms caused the delay. 
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Finding 2 FinCEN Addressed User Requested Enhancements and 

Completed the First Survey on FinCEN Query 



FinCEN conducted performance testing of BSA IT Mod for the first 
phase of Release 2 of the Broker Information Exchange and system 
releases completed as part of operations and maintenance. FinCEN 
also completed its first user survey on FinCEN Portal and FinCEN 
Query, which will be used as a baseline for future customer 
satisfaction survey results. Survey respondents indicated that 
accessing BSA data and developing queries was somewhat 
cumbersome and complex. Users also expressed the need for 
additional training and enhancements. 

Performance Testing of BSA IT Mod Continued 

FinCEN continued performance testing through government 
acceptance testing. 16 FinCEN tested the first phase of Release 2 of 
the Broker Information Exchange, as well as the enhancements 
completed to other releases as part of operations and maintenance. 
FinCEN continued to manage BSA IT Mod in the operations and 
maintenance phase. 

FinCEN officials told us there were no significant data processing 
issues or significant performance issues observed in production. 
FinCEN and MITRE officials considered all open defects to be of 
low severity, meaning that the defects would not significantly 
impair program performance or functionality. 17 Our review of 
program documentation did not identify any significant 
performance issues. 

FinCEN Conducted an Initial Customer Satisfaction Survey 

As of December 31, 2013, approximately 9,500 users had 
performed approximately 4.5 million data queries since FinCEN 



16 Government acceptance testing is the Government's opportunity to validate that the current release's 
requirements were met. This includes testing functionality, system usability, permissions and 
security, compatibility testing, and traceability to business requirements through test script 
execution, demonstrations and inspections. Performance and response time are also observed. 

17 FinCEN logs and prioritizes all defects, requests for change and enhancements, as well as necessary 
fixes to repair system functionality. As of December 31, 2013, FinCEN had 189 requests for 
changes and enhancements and 291 open defects, which FinCEN continued to address. 
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Query went live in September 2012. In June 2013, FinCEN 
surveyed 8,000 users of FinCEN Portal and FinCEN Query 
regarding their level of satisfaction with those systems. 
Approximately 1,000 responses were received representing a 
response rate of 13 percent. According to the survey administrator 
used by FinCEN, the response rate was sufficient to ensure a high 
sampling confidence of over 90 percent. 18 

The survey results revealed a score of 62, on a scale of 0 to 100, 
regarding the respondents' overall level of satisfaction with FinCEN 
Query. 19 This score was derived from the responses to three 
survey questions in which respondents rated their experiences with 
FinCEN Query— their overall satisfaction in accessing BSA data 
through FinCEN Query; how FinCEN Query met their expectations; 
and how FinCEN Query compared to what the respondents would 
consider to be an ideal BSA data and retrieval system. Also of 
note, the respondents favorably rated the overall value of BSA data 
(a score of 77) as well as the support received from FinCEN's 
application's help desk (a score of 84). 

The survey also provided several open-ended questions where 
respondents could comment. Respondent's comments to the 
survey indicated that accessing BSA data through FinCEN Portal 
and developing queries through FinCEN Query was somewhat 
cumbersome and complex. Respondents also stated the need for 
additional training, including hands-on training, as well as 
enhancements. 

Survey ratings from one component within IRS, representing 26 
percent of the total survey responses, were markedly less favorable 
than those provided by respondents from other agencies. FinCEN 
and IRS officials told us that users with this one IRS component 
were still transitioning away from a legacy BSA data system 



18 The survey was administered by CFI Group, which has conducted surveys on behalf of FinCEN since 
2005. 

19 An American Customer Satisfaction Index (ACSI) score was derived from the weighted average of 3 
survey questions. ACSI is the only uniform, cross-industry/government measure of customer 
satisfaction and used to develop benchmarks across government. ACSI has measured more than 100 
programs of federal agencies since 1999. The federal government's ASCI score was 68 for 2012. 
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maintained by IRS and that they had not been using FinCEN Query 
for as long as other agencies. 

At the time of the survey, FinCEN Query had been available to 
external users for about 9 months. 20 FinCEN program officials told 
us that the survey results established a baseline for improvement, 
as it was the first survey involving FinCEN Portal and FinCEN 
Query. They expected survey scores to be generally low because 
FinCEN Portal and FinCEN Query were still relatively new to users, 
but expected future survey scores to rise as users become more 
familiar with the systems through experience and training. 

FinCEN officials told us that, overall, the survey indicated that 
users needed to be better educated on how FinCEN Query is a 
search engine and how it is data-driven as opposed to forms- 
driven, meaning it returns all the data regardless of form-type, in 
order to improve their ability to use it. As planned, FinCEN, in 
conjunction with user group liaisons, completed development of a 
training plan for external users and its analysts in February 2014. 

FinCEN Continued to Address User Requests for Enhancements 

In our last report, we noted that BSA IT Mod users had identified 
some limitations with FinCEN Query and cited the need for 
enhancements. Since June 2013, FinCEN has worked with users 
through the DMC to address and prioritize suggested 
enhancements as discussed below. 

Improvements in Downloading and Searching Fields 

In our previous audit, users told us that FinCEN Query search 
results were challenging to sort in Microsoft Excel which made 
analysis difficult. We were told that certain data fields within BSA 
IT Mod could not be searched. During this audit, FinCEN provided 
regulators and law enforcement users the capability to customize 
FinCEN Query downloads for exporting into Microsoft Excel. 
FinCEN also added about 40 data fields to FinCEN Query search 
results and made additional data fields searchable. 



The initial rollout of FinCEN Query to external users began September 2012. 
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Agencies' Ability to Monitor or Limit Use of FinCEN Query 

In our previous audit, users told us that there was no mechanism 
to allow agency BSA IT Mod administrators to monitor staff use of 
FinCEN Query or to limit access to particular features to detect 
potential misuse and ensure that BSA data is safeguarded. During 
this audit, FinCEN officials told us that disseminating this 
information to user agencies was not part of the original business 
requirements for BSA IT Mod and that it was ultimately FinCEN's 
responsibility to monitor for potential misuse. In this regard, FinCEN 
has begun to develop its own inspection program to ensure the 
BSA data is not misused. FinCEN also agreed to provide one 
agency, IRS, with logs that detail its employees' use of FinCEN 
Query. 21 Regarding limiting access to particular features, such as to 
Suspicious Activity Reports, FinCEN officials told us that this 
feature was not built into BSA IT Mod's FinCEN Query because the 
system was not designed to operate in this manner as all BSA data 
is treated the same — not differentiated by form type. 

While FinCEN has acknowledged its responsibility to monitor usage 
of FinCEN Query, and has begun to develop its own inspection 
program to monitor potential misuse, we believe that FinCEN 
should encourage the agencies to contact FinCEN if misuse of BSA 
data is suspected. 

Risks to BSA IT Mod Continue 

Similarly to what we reported in September 201 3, there is 
continued risk with the program's high-level of dependency 
between its component projects. FinCEN officials told us that this 
risk is an inherent risk in all IT programs and that they expect the 
risk to continue as programming changes in any component may 
affect and require programming changes to other components of 
the system. Not unexpectedly, FinCEN and MITRE officials told us 
that the loss of knowledge due to Deloitte's departure from its 
support of BSA IT Mod's operations and maintenance represents an 
additional risk to the ongoing system. 22 



21 BSA IT Mod includes an audit log of user activity on the system. FinCEN officials stated that FinCEN 
is responsible for maintaining the logs and monitoring BSA IT Mod system use. 

22 Deloitte provided operation and management and applications support as part of the BSA IT Mod 5- 
year contract that FinCEN awarded Deloitte in 2008. See appendix 2 for additional detail. 
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Finding 3 FinCEN Assumed More BSA IT Mod Oversight 

Responsibility 



In our September 2013 report, we reported that FinCEN maintained 
oversight of BSA IT Mod and that MITRE and Deloitte were 
providing less support to FinCEN's BSA IT Mod program 
management as the development effort moved into operations and 
maintenance. We also found Treasury OCIO's monitoring of the 
program was appropriate based on the overall positive track record 
by FinCEN managing the BSA IT Mod development effort. During 
our current audit, FinCEN's oversight responsibilities increased as 
contractors transitioned away from providing program support for 
the development effort to managing the integration of multiple 
contractors in the operations and maintenance phase. No change 
occurred in the level of program oversight by Treasury OCIO. 

FinCEN Oversight 

FinCEN took on more BSA IT Mod oversight responsibility during 
this audit period as MITRE transitioned away from providing routine 
program management and technical support as the program 
progressed from development to the operations and maintenance 
phase. 

MITRE representatives told us that they had no concerns regarding 
its transition away from its support of FinCEN and that FinCEN 
staff had matured sufficiently in order to manage the program. 

Deloitte discontinued providing FinCEN with BSA IT Mod program 
management support, as the task order for this service in its 
contract had expired and was awarded to a new contractor. 23 
However, Deloitte will provide project status reports for the final 
project— the second phase of Release 2 of the Broker Information 
Exchange. Deloitte had no concerns over the transition of their 
responsibilities to the new contractor. 



In September 2013, FinCEN awarded a new contract for BSA IT Mod program management support 
to Total Systems Technologies Corporation. See appendix 2 for additional information. 
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Treasury OCIO Oversight 

In our previous audit, we found Treasury OCIO's monitoring of the 
program appropriate given the overall positive track record by 
FinCEN managing the BSA IT Mod development effort. During this 
audit, we found Treasury OCIO continued to monitor FinCEN 
monthly data submissions to identify potential issues and 
performed macro-level reviews including trend analysis. Treasury 
OCIO also conducted quarterly investment status meetings with 
FinCEN and still plans to conduct a post implementation review 
upon the program's completion. The post implementation review 
will evaluate whether the system works as originally planned. 

Treasury OCIO officials told us that BSA IT Mod was performing 
well and that they were satisfied with the level and quality of the 
program data provided by FinCEN. They were also satisfied with 
FinCEN's management of the program. 

As we reported in our previous audits of BSA IT Mod, the Treasury 
CIO is a member of both the BSA IT Mod Modernization Executive 
Group and Executive Steering Committee, which meets on a 
quarterly basis or when a major decision or approval is sought. In 
December 2013, Treasury CIO attended a Modernization Executive 
Group meeting in which members conditionally approved ending its 
BSA IT Mod governance in March 2014. Treasury OCIO officials 
expressed to us that they had no concerns over this action. 

We believe that the oversight by FinCEN management and Treasury 
OCIO during this audit period was appropriate given the overall 
positive track record by FinCEN in managing its BSA IT Mod 
development effort. 

Recommendations 

We recommend the FinCEN Director: 

1 . Continue to work with users to address user requests for 
training and enhancements. 
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Management Response 



FinCEN uses the DMC as the forum to discuss the business 
impacts of system issues raised by users (which can include 
corrections, modifications, or enhancements to system 
capabilities, reports, and/or training). FinCEN will continue to 
use the DMC in this manner to inform the Investment Review 
Board as it prioritizes work efforts throughout operations and 
maintenance. 24 

OIG Comment 

The above commitment by FinCEN meets the intent of our 
recommendation. 

2. Make agencies aware of the process to contact FinCEN if 
misuse of BSA data is suspected. 

Management Response 

FinCEN plans to present the current process for investigating 
potential misuse of data to the DMC. Additionally, FinCEN will 
notify each agency coordinator that if misuse of BSA data is 
suspected, the coordinator should contact FinCEN. The planned 
completion date is April 2014. 

OIG Comment 

The above commitment by FinCEN meets the intent of our 
recommendation. 



FinCEN's Investment Review Board is an executive level body responsible for overseeing major IT 
investments such as BSA IT Mod. 
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We appreciate the cooperation and courtesies extended to our staff 
during the audit. If you wish to discuss the report, you may 
contact me at (617) 223-8638 or Mark Ossinger, Audit Manager, 
at (617) 223-8643. Major contributors to this report are listed in 
appendix 5. 

/s/ 

Sharon Torosian 
Audit Director 
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Objectives, Scope, and Methodology 



Pursuant to a Congressional directive, this is the fifth in a series of 
audits of the Financial Crimes Enforcement Network's (FinCEN) 
Bank Secrecy Act (BSA) Information Technology Modernization 
Program (BSA IT Mod). 25 Our objective was to determine if FinCEN 
is (1) meeting cost, schedule, and performance benchmarks for this 
program and (2) providing appropriate oversight of contractors. In 
addition, we evaluated any deviations from FinCEN's plan. We 
determined the status of the program's cost, schedule, and 
performance through December 31, 2013. 

To accomplish our objective, we interviewed officials with FinCEN, 
Department of the Treasury's Office of the Chief Information 
Officer (OCIO), and FinCEN's contractors. In addition, we reviewed 
applicable program documentation including the 2013 FinCEN 
Portal and FinCEN Query Performance Measure Survey. We 
performed our fieldwork from November 2013 through January 
2014. 

At FinCEN, we interviewed: 

• The Chief Information Officer (CIO), Chief Technology Officer 
(CTO), and BSA IT Mod Program Manager to obtain an update 
on BSA IT Mod, cost and schedule concerns, project testing 
conducted and defect resolution, strategies employed, and 
overall progress of the program. 

• The project managers, project leaders, and contracting officer's 
representatives to obtain an understanding of their perspective, 
level of involvement, schedule and performance concerns, and 
overall progress of their respective projects. 

• The contracting officer's representative for the 2013 FinCEN 
Portal and FinCEN Query Performance Measure Survey to gain 
an understanding of the results, scope, and methodology used 
for the survey. 



House Report (H. Rept.) 112-331. 
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External to FinCEN, we interviewed the following officials: 

• Deloitte LLP's Managing Director and Deloitte's Program 
Manager for BSA IT Mod to obtain an update on their 
perspective of BSA IT Mod and ascertain the program's status. 
These interviews were conducted at the contractor's office in 
Rosslyn, Virginia. 

• MITRE Corporation (MITRE) representatives to obtain an update 
of MITRE's role as the federally funded research and 
development contractor, its level of involvement with the 
program, as well as issues, concerns, and other significant 
matters observed. These interviews were conducted at MITRE's 
office in McLean, Virginia. 

• The Treasury OCIO's Director of IT Capital Planning for an 
update on OCIO's role in overseeing BSA IT Mod, as well as 
issues, concerns, and other significant matters. 

• CFI Group Program Director to obtain additional information on 
the 2013 FinCEN Portal and FinCEN Query Performance 
Measure Survey to gain an understanding of the results, scope, 
and methodology used for the survey. 

We reviewed FinCEN program-related information, including: 
management reports; minutes from executive, management, and 
technical meetings; planning documentation; program and project 
level documentation; and FinCEN presentations to internal and 
external oversight groups (e.g., Congress, Office of Management 
and Budget, Treasury OCIO, BSA IT Mod Modernization Executive 
Group and Executive Steering Committee, and FinCEN 
management). 

We reviewed the final report and the raw data for a FinCEN- 
commissioned 2013 FinCEN Portal and FinCEN Query Performance 
Measure Survey. We reviewed the raw data to provide a 
reasonable assurance of the validity of results reported by the 
vendor. We also reviewed the narrative responses to the survey's 
open-ended questions to assess the user's satisfaction with the 
BSA IT Mod and any potential performance issues with the 
program. We paid particular attention to the survey responses from 
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various Department of Justice (DOJ) component agencies as our 
attempt to obtain their feedback during our previous audit could 
not be coordinated. 26 

To substantiate that performance testing had occurred on BSA IT 
Mod, we interviewed FinCEN officials involved with BSA IT Mod 
government acceptance testing and reviewed testing-related 
documentation, including testing plans and status reports. We 
determined that any testing defects and issues identified during 
testing were recorded in FinCEN's project management and issues 
tracking system. 

We conducted this performance audit in accordance with generally 
accepted government auditing standards. Those standards require 
that we plan and perform the audit to obtain sufficient, appropriate 
evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 



In our previous audit, we attempted to obtain DOJ feedback from BSA IT Mod users within its 
various components agencies; however, user interviews could not be coordinated in time for the 
audit. In this audit, we determined that the DOJ comprised 19 percent of the survey respondents, 
which we believe captured the DOJ BSA IT Mod users' experiences and opinions with BSA IT Mod; 
accordingly, we did not interview DOJ users as part of this audit. We plan to contact DOJ users to 
obtain their feedback as part of our next audit of BSA IT Mod. 
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FinCEN's efforts to establish a system to manage and house 
BSA data has been an extensive process. Planning of the 
BSA IT Mod program began after an earlier attempt to 
establish a similar program failed. 27 Figure 1 provides a 
timeline of significant events in the BSA IT Mod program. 



Figure 1 . Timeline of Significant Events in FinCEN's BSA System Modernization Efforts 
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Exchange 
Project 



Source: OIG review of FinCEN data. 



Projects Included 

BSA IT Mod is made up of multiple projects with specific 
components. The projects are summarized below. All 
projects except for the Broker Information Exchange were 
completed as of December 31, 2013. 



FinCEN terminated BSA Direct Retrieval and Sharing after concluding the project had no 
guarantee of success. We reviewed that failure and found that FinCEN poorly managed the 
predecessor project, insufficiently defined functional and user requirements, misjudged 
project complexity, and established an unrealistic completion date. We also found that the 
Treasury OCIO did not actively oversee the project, as required by the Clinger-Cohen Act of 
1 996. Treasury Office of Inspector General (OIG), The Failed and Costly BSA Direct R&S 
System Development Effort Provides Important Lessons for FinCEN's BSA Modernization 
Program (OIG-1 1-057: Jan. 5, 2011). 
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• System of Record (SOR) provides data storage and 
architecture for BSA data for 1 1 years of BSA data. 

• Shared Filing Services provides for validation of BSA data 
with external data sources, such as validation of 
addresses to U.S. Postal Service data. 

• Third Party Data provides the SOR additional BSA data 
through external data sources such as the financial 
institution identification number assigned by the Federal 
Reserve. 

• Bulk Data Dissemination is used for the distribution of 
large quantities of BSA data to external users. 

• Data Conversion converted 1 1 years of BSA data from an 
Internal Revenue Service legacy system to the FinCEN's 
new SOR. 

• BSA E-Filing is used by BSA filers to submit all required 
electronic filing of BSA forms to FinCEN. 

• FinCEN Query is a tool designed to improve authorized 
users' ability to access and analyze BSA data. The tool is 
used by FinCEN internal users and by registered external 
users and customers to retrieve and analyze BSA data. 
The tool supports traditional structured BSA data queries, 
and provides narrative search capabilities and options to 
coordinate and collaborate with users on queries 
performed. 

• Advanced Analytics provides complex search and 
retrieval functionality for FinCEN internal users to support 
their analytical, law enforcement, and regulatory 
activities. The tool provides advanced analytical 
capabilities such as geospatial, statistical analysis, social 
networking, semantic interchange, and visualization 
capabilities. 

• Register User Portal/Identity Management/Access Control 
Management provides the means for common user 
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interface and authentication process through which both 
internal and external authorized users gain access to all 
future BSA IT Mod applications. 

• Infrastructure provides the design, development, 
procurement, and implementation of the development and 
test environments, storage area network(s), and disaster 
recovery capabilities required to support BSA IT Mod 
projects. 

• Broker Information Exchange provides the Financial 
Intelligence Repository, which includes 314A and 314B 
components. The Financial Intelligence Repository project 
is to replace FinCEN's case management systems — FinDB 
for investigative cases, and the Customer Management 
System for compliance cases. The first release of the 
Financial Intelligence Repository project is to create the 
Financial Intelligence Repository and incorporates 
SharePoint (a Microsoft software application for sharing 
information) as a mechanism to share case information 
for both internal and external users. The 314A 
component allows law enforcement agencies to submit 
requests through FinCEN to financial institutions for 
information about financial accounts and transactions of 
persons or businesses that may be involved in terrorism 
or money laundering. The 31 4B component allows 
financial institutions to share information with one 
another through FinCEN to identify and report suspicious 
money laundering or terrorist activities to the federal 
government. 314A and 314B refer to Section 314 of the 
USA Patriot Act that requires FinCEN of establish these 
functionalities. 28 The project is ongoing as of December 
2013. 

• Alerts provides for an automatic alert to be sent to 
FinCEN analysts about suspicious activities reported by 
filers based on pre-defined criteria. 



Section 314 of the USA Patriot Act is established under 31 U.S.C. § 531 1 . 
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Contractors Engaged by FinCEN 

In March 2008, FinCEN awarded a 5-year indefinite delivery, 
indefinite quantity (IDIQ) contract to BearingPoint, Inc., to 
support a full range of information technology services, 
custom applications, maintenance support, and infrastructure 
support necessary to implement the FinCEN IT operational 
objectives. Numerous task orders have been issued against 
the contract including those for the BSA IT Mod program. 29 
The contract was subsequently transferred to Deloitte 
Consulting, LLP (Deloitte). 30 The contract ceiling is a 
maximum of $144 million and a minimum of $1 million over 
the contract's 5-year life. FinCEN also contracted with 
MITRE Corporation (MITRE) at a cost of approximately $2.1 
million to provide management guidance, coordination, and 
evaluation support for BSA IT Mod. 31 MITRE is a subject 
matter expert on program and project management, and BSA 
IT Mod business capabilities. 

FinCEN is using the Treasury's Bureau of the Fiscal Service 
Administrative Resource Center for new contracting services 
related to BSA IT Mod. FinCEN had previously used the 
Acquisitions Services Directorate of the U.S. Department of 



29 An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. 
This type of contract is used when it cannot be predetermined, above a specified minimum, 
the precise quantities of supplies or services that the government will require during the 
contract period. IDIQ contracts are most often used for service contracts and architect- 
engineering services. An IDIQ contract is flexible, especially when not all the requirements 
are known at the start of a contract and is conducive to a modular approach, which would be 
one with phases or milestones. 

30 The IDIQ contract was transferred from BearingPoint, Inc. to Deloitte on October 1, 2009 
after Deloitte purchased substantially all of the assets of Bearing Point, Inc., Public Service 
Division. 

31 MITRE is a not-for-profit organization chartered to work in the public interest with expertise 
in systems engineering, information technology, operational concepts, and enterprise 
modernization. Among other things, it manages federally funded research and development 
centers, including one for IRS and U.S. Department of Veterans Affairs (the Center for 
Enterprise Modernization). Under Treasury's existing contract with MITRE, Treasury and its 
bureaus, with permission of the IRS sponsor, may contract for support, and to facilitate the 
modernization of systems and their business and technical operation, the following task 
areas: strategic management, technical management, program and project management, 
procurement, and evaluation and audit. 
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the Interior as the contract office to administer the contract. 
FinCEN chose this office because of its prior experience 
handling large, complex procurements. 

FinCEN officials told us that Deloitte's 5-year IDIQ contract 
ended in March 2013; however, the Acquisitions Services 
Directorate allowed a 6-month extension to September 2013 
and allowed FinCEN to extend various task orders under the 
IDIQ contract. As of December 31, 2013, FinCEN officials 
stated that Deloitte still had one task order in place to 
complete development of the Broker Information Exchange, 
which had been extended until the end of April 2014. 

During this audit period, FinCEN awarded new BSA IT Mod 
contracts using the Administrative Resource Center as the 
contracting agency. 

• In August 2013, a new contract for BSA IT Mod network 
support was awarded to NavStar, as a 2.5-year firm fixed 
contract. The contract awards $2,064 million in the six 
month base year and has a contract ceiling of $9.3 
million. Deloitte's task order under its IDIQ contract for 
network support ended at the end of September 2013. 

• In September 2013, a new contract for BSA IT Mod 
program management support was awarded to Total 
Systems Technologies Corporation, as a 3-year, firm 
fixed price contract. The contract award was for 
$750,761 in the base year with a total contract ceiling of 
$2,279 million. Deloitte continued its support program 
management during the transition until the expiration of 
Deloitte's contract at the end of December. 

• In November 2013, a new contract for operations and 
maintenance was awarded to Northrup Grumman. It is a 
6-month contract with three 1-year extensions with a 
total value of $22,823,940. 
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As of December 31, 2013, all BSA IT Mod component projects are 
completed except for the second phase of Release 2 of the Broker 
Information Exchange project. Table 1 displays the status of BSA 
IT Mod by project. 



Table 1. BSA IT Mod Project Schedule Status as of December 31, 2013 
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10/16/2012 


Complete 



FinCEN's BSA IT Modernization Program is on Budget, on Schedule, and Close Page 24 
to Completion (0IG-1 4-029) 



Appendix 3 

BSA IT Mod Project Schedule Status 



Table 1. BSA IT Mod Project Schedule Status as of December 31, 2013 
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Completion 


Project 




Completion 


Completion 


Date at 


Status at 




Date at May 


Date at June 
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Project 


2010 1 


2011 2 


20 13 3 


2013 


Infrastructure & Portal Security 










Develop and Test 


9/30/2010 


9/30/2010 


9/30/2010 


Complete 


Release 1 


3/31/201 1 


3/31/201 1 


3/31/201 1 


Complete 


Release 2 


9/30/201 1 


9/30/201 1 


9/30/201 1 


Complete 


Release 3 


6/30/2012 


n/a 7 


n/a 7 


n/a 7 



Source: OIG analysis of FinCEN documentation. 

1 The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design 
and development of projects after receiving Office of Management and Budget approval. 

2 FinCEN submitted a baseline change request to the Treasury CIO to adjust selected project milestone 
schedule dates and realign costs to keep the overall program on track. The baseline change was implemented 
in June 201 1 . 

3 Dates represent the actual completion dates if the project was completed, or the planned completion date as 
of the cutoff date of our review (December 31 , 201 3). 

4 A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold 
information concerning or derived from intelligence sources, methods, or analytical processes. FinCEN plans 
to provide its SCIF with advanced analytics capability, which was not part of the May 2010 initial plan but 
was part of the June 201 1 baseline change request. 

5 A baseline change was implemented in March 2013 which adjusted the schedule completion dates. 

6 Initially, Release 2 of the project was planned as one phase. 

7 Not applicable - The work planned for Infrastructure release 3 was removed from the project and will be 
done as part of BSA IT Mod's on-going operations and maintenance. 
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DEPARTMENT OF THE TREASURY 
FINANCIAL CRIMES ENFORCEMENT NETWORK 



DIRECTOR 



March 19, 2014 



MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FREEDMAN 



FROM: 



Jennifer Shasky Calvery lal 



SUBJECT: 



Management Response lo the Draft Report —FinCEN's BSA IT 
Modernization is on Budget, on Schedule, and Close to Completion 



Thank you lor Ihe opportunity lo review Ihe Office of Inspector General (OIG) (irall audit 
report on the bureau's BSA IT Modernization Program. Once again, I appreciate the OIG's 
recognition that the program is within budget and on schedule, and that appropriate oversight 
continues. 

Over the next several montlis. 1-inCL'N will finalize the remaining development portion 
of the Program and fully transition into Ihe operations and maintenance phase. We are 
committed to continuing our work with the Data Management Council to review and prioritize 
all system issues as they arise, and balance the needs of our multiple stakeholders as they 
continue to evolve. 

The attachment outlines our response to the two audit recommendations. If you have any 
questions or need additional information, please contact Becky Martin, Assistant Director, Office 
of Financial Management, on 703-905-3860. 
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Attachment: FinCEN Planned Corrective Actions 

1. Continue to work with users to address user requests for training and enhancements. 

IinCEX Response: Concur. FinCEN uses the Data Management Council (DMC) as the 
forum to discuss the business impacts ofsystem issues raised by users (which can include 
corrections, modifications, or enhancements to system capabilities, reports and or training). 
FinCF.N w ill continue to use the DMC in this manner to inform the Inv estment Rev iew 
Hoard as it prioritizes work efforts throughout operations and maintenance. 

Status: Closed 

2. Make agencies aw are of the process to contact Fint "KN if misuse of BSA data is 
suspected. 

FinCEN Response: Concur. FinCEN plans to present the current process for investigating 
potential misuse of data to the DMC. Additionally. FinCEN will notify each agency 
coordinator that if misuse of BSA data is suspected, the coordinator should contact FinCEN 
to ensure a review of the situation has been identified. 

Status: Open. Estimated completion date April 2014. 
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